1. Technical Field
This application generally relates to client-server data processing systems, to the delivery of content over computer networks, to systems and methods for conserving server resources, and to systems and method for handling computer-based attacks.
2. Brief Description of the Related Art
Computer-based attacks are an increasing problem for servers that provide remote services, such as cloud storage and web applications, that serve websites, or that provide other online solutions.
In a typical denial of service (DoS) attack, for example, an attacker attempts to disrupt the operation of a target server such that the target server cannot provide an acceptable quality-of-service to legitimate clients. Such attacks are a significant problem, as an outage at a website may cause considerable interruptions to the services provided by web applications, loss of revenue for e-commerce businesses, as well as negative publicity.
In one kind of DoS attack, an attacker (via their own computer or a set of conscripted computers often referred to as ‘bots’) sends a high volume of requests to a target server. Eventually, the target server is unable to respond to the volume of requests, resulting in slow performance or an outright failure.
Another kind of DoS attack is a ‘slow’ DoS attack. Generally, in such attacks an attacker attempts to tie up its resources by interacting with a target server in an artificially slow fashion. One kind of a slow attack is known as a slow ‘GET’ attack (aka Slow Loris), in which an attacker slowly sends the headers that make up an HTTP ‘GET’ request. The target server dutifully waits for the attacker to complete the GET request. Normally, the server would receive the entire GET request, process it, and move on to other requests, closing the connection and releasing associated resources allocated to the connection. But the attacker's slow GET request delays or prevents this from happening, tying up the server's memory, processing and other resources allocated to the connection. It thus impacts the target server's ability to service other, legitimate clients. Oftentimes, an attacker will seek to open a large number of such bogus connections with intentionally slow requests, multiplying the effect of the attack. A single web client can hold open hundreds to thousands of such connections, each one sending only a few bytes of data each second. Another kind of slow attack is a slow ‘POST’ attack, in which an attacker sends an HTTP POST message body at a low data rate, forcing the target server to hold open the client connection for an extended period of time as it waits for the message body to complete, leading to the same resource issues as with the slow ‘GET’ attack.
The goal of these attacks is to try to impact or exhaust server resources. Hence, there is a need for improved ways of conserving server resources in the face of such attacks and threats. There is also a need for improved ways of combating identified attacking clients and gathering information about them when they are encountered. Such improvements would be useful not only against known threats like DoS attacks, but against future resource-exhaustion attacks and moreover against any clients and/or connections that a server determines are behaving in an undesirable way. The teachings herein address these needs and offer other advantages, features, and uses that will become apparent in view of this disclosure.